2008-12-05

屏蔽Indy Library的方法

Posted in Apache, 网络安全, FreeBSD/Unix服务器 at 15:32 Author:仲远

标签:

我想如果一个网站管理员有空的时候看看自己的网站访问日志,是原始日志那种的,不是统计数据的,一定会感到触目惊心的!因为有太多太多不怀好意的连接与访问。通常情况下,这些连接和访问都没有成功,因此没有造成太大的损失。但是一旦他们成功,就会造成很严重的后果。

例如,下面是截取的一段网站访问的日志:

202.96.180.147 - - [05/Dec/2008:15:01:03 +0800] “GET /showtb.asp?id=80 HTTP/1.1″ 404 10159 “-” “Mozilla/3.0 (compatible; Indy Library)”
202.96.180.147 - - [05/Dec/2008:15:01:11 +0800] “POST / HTTP/1.0″ 200 38305 “http://www.wangzhongyuan.com/archives/80.html” “Mozilla/3.0 (compatible; Indy Library)”
219.131.237.77 - - [05/Dec/2008:15:02:46 +0800] “GET /showtb.asp?id=285 HTTP/1.1″ 404 9957 “-” “Mozilla/3.0 (compatible; Indy Library)”
219.131.237.77 - - [05/Dec/2008:15:02:52 +0800] “POST / HTTP/1.0″ 200 38422 “http://www.wangzhongyuan.com/archives/285.html” “Mozilla/3.0 (compatible; Indy Library)”
121.205.55.154 - - [05/Dec/2008:15:03:32 +0800] “GET /showtb.asp?id=424 HTTP/1.1″ 404 9996 “-” “Mozilla/3.0 (compatible; Indy Library)”
121.205.55.154 - - [05/Dec/2008:15:03:36 +0800] “POST / HTTP/1.0″ 200 38226 “http://www.wangzhongyuan.com/archives/424.html” “Mozilla/3.0 (compatible; Indy Library)”
220.189.55.228 - - [05/Dec/2008:15:04:23 +0800] “GET /showtb.asp?id=160 HTTP/1.1″ 404 9779 “-” “Mozilla/3.0 (compatible; Indy Library)”
220.189.55.228 - - [05/Dec/2008:15:04:26 +0800] “POST / HTTP/1.0″ 200 38539 “http://www.wangzhongyuan.com/archives/160.html” “Mozilla/3.0 (compatible; Indy Library)”
58.212.131.137 - - [05/Dec/2008:15:07:41 +0800] “GET /showtb.asp?id=62 HTTP/1.1″ 404 9999 “-” “Mozilla/3.0 (compatible; Indy Library)”
58.212.131.137 - - [05/Dec/2008:15:07:43 +0800] “POST / HTTP/1.0″ 200 38378 “http://www.wangzhongyuan.com/archives/62.html” “Mozilla/3.0 (compatible; Indy Library)”
222.247.84.154 - - [05/Dec/2008:15:11:56 +0800] “GET /showtb.asp?id=62 HTTP/1.1″ 404 9904 “-” “Mozilla/3.0 (compatible; Indy Library)”
222.247.84.154 - - [05/Dec/2008:15:11:58 +0800] “POST / HTTP/1.0″ 200 38450 “http://www.wangzhongyuan.com/archives/62.html” “Mozilla/3.0 (compatible; Indy Library)”
59.50.54.222 - - [05/Dec/2008:15:13:03 +0800] “GET /showtb.asp?id=434 HTTP/1.1″ 404 9924 “-” “Mozilla/3.0 (compatible; Indy Library)”
59.50.54.222 - - [05/Dec/2008:15:13:04 +0800] “POST / HTTP/1.0″ 200 38377 “http://www.wangzhongyuan.com/archives/434.html” “Mozilla/3.0 (compatible; Indy Library)”
121.205.55.154 - - [05/Dec/2008:15:14:25 +0800] “GET /showtb.asp?id=426 HTTP/1.1″ 404 10028 “-” “Mozilla/3.0 (compatible; Indy Library)”
121.205.55.154 - - [05/Dec/2008:15:14:31 +0800] “POST / HTTP/1.0″ 200 38466 “http://www.wangzhongyuan.com/archives/426.html” “Mozilla/3.0 (compatible; Indy Library)”
125.46.10.62 - - [05/Dec/2008:15:21:55 +0800] “GET /showtb.asp?id=434 HTTP/1.1″ 404 9912 “-” “Mozilla/3.0 (compatible; Indy Library)”
125.46.10.62 - - [05/Dec/2008:15:21:56 +0800] “GET /showtb.asp?id=434 HTTP/1.1″ 404 9967 “-” “Mozilla/3.0 (compatible; Indy Library)”
125.46.10.62 - - [05/Dec/2008:15:22:03 +0800] “POST / HTTP/1.0″ 200 38474 “http://www.wangzhongyuan.com/archives/434.html” “Mozilla/3.0 (compatible; Indy Library)”
125.46.10.62 - - [05/Dec/2008:15:22:02 +0800] “POST / HTTP/1.0″ 200 38486 “http://www.wangzhongyuan.com/archives/434.html” “Mozilla/3.0 (compatible; Indy Library)”
119.114.144.169 - - [05/Dec/2008:15:22:43 +0800] “GET /showtb.asp?id=369 HTTP/1.1″ 404 9916 “-” “Mozilla/3.0 (compatible; Indy Library)”
119.114.144.169 - - [05/Dec/2008:15:22:50 +0800] “POST / HTTP/1.0″ 200 38535 “http://www.wangzhongyuan.com/archives/369.html” “Mozilla/3.0 (compatible; Indy Library)”

可以看到,这个User-Agent表明为Indy Library的“家伙”进行了许许多多次的恶意访问,而且经常Post一些数据过来。而且这个“家伙”还会伪装自己,IP还各不相同,通过简单封锁IP的方法,显然是不能够奏效的。

经过网上查找,发现Indy Library最初是一个关于网络操作的开源程序库,不过这个程序库被强制破解并被滥用于一些中国的spam bots中。近期所见使用“Indy Library”字串作为User Agent信息的访问,大多是这些中国“原创作品”。也就是说,这个“家伙”很可能是一个自动发送垃圾广告的程序。

将其屏蔽掉的方法有两种:
(1)修改.htaccess文件

SetEnvIfNoCase User-Agent “Indy Library” bad_bot
Order Allow,Deny
Allow from all
Deny from env=bad_bot

改后系统访问日志,所有的访问都返回403, 机器人或许会没完没了地访问同一个页面

(2)修改网站代码, 返回空的访问

例如

if( “Mozilla/3.0 (compatible; Indy Library)” == $user_agent)
{
    exit();
}

这样服务器会主动的返回200的状态,但是不返回任何的内容

本文可以自由转载,转载时请保留全文并注明出处:
转载自仲子说 [ http://www.wangzhongyuan.com/ ]
原文链接:

13 Comments »

  1. institut de massage lyon said,

    2017年May30日 at 2:55

    Have you ever thought about creating an ebook or guest authoring
    on other websites? I have a blog based on the same ideas you discuss and would
    really like to have you share some stories/information. I know my subscribers would
    enjoy your work. If you are even remotely interested, feel
    free to send me an e mail. https://goo.gl/maps/RLPFGxUQTms

  2. Google said,

    2017年August10日 at 11:54

    Google…

    Always a large fan of linking to bloggers that I appreciate but really don’t get quite a bit of link love from….

  3. adam and eve sex toys shop said,

    2017年August15日 at 23:37

    adam and eve sex toys shop…

    […]always a big fan of linking to bloggers that I like but don’t get a whole lot of link adore from[…]…

  4. sex game said,

    2017年August15日 at 23:58

    sex game…

    […]please check out the web sites we stick to, which includes this one, because it represents our picks in the web[…]…

  5. sexuality said,

    2017年August16日 at 10:03

    sexuality…

    […]one of our guests lately suggested the following website[…]…

  6. strapon said,

    2017年August16日 at 13:19

    strapon…

    […]Here are a few of the websites we recommend for our visitors[…]…

  7. have anal sex said,

    2017年August16日 at 15:10

    have anal sex…

    […]Here is a superb Blog You might Discover Fascinating that we Encourage You[…]…

  8. gay sex toys said,

    2017年August17日 at 3:55

    gay sex toys…

    […]although websites we backlink to below are considerably not associated to ours, we feel they’re in fact really worth a go by way of, so have a look[…]…

  9. Magnetic secondary glazing said,

    2017年August18日 at 2:31

    Magnetic secondary glazing…

    […]although web-sites we backlink to below are considerably not connected to ours, we really feel they are essentially worth a go as a result of, so possess a look[…]…

  10. polythene sheet said,

    2017年August18日 at 5:22

    polythene sheet…

    […]we prefer to honor a lot of other web sites on the web, even when they aren’t linked to us, by linking to them. Under are some webpages worth checking out[…]…

  11. double penetration dildo said,

    2017年August18日 at 11:27

    double penetration dildo…

    […]check beneath, are some completely unrelated internet websites to ours, having said that, they’re most trustworthy sources that we use[…]…

  12. couples kit said,

    2017年August19日 at 0:05

    couples kit…

    […]usually posts some quite fascinating stuff like this. If you’re new to this site[…]…

  13. adidas youth female poomsae said,

    2017年August19日 at 0:49

    adidas youth female poomsae…

    […]one of our guests just lately encouraged the following website[…]…

Leave a Comment

*
To prove you're a person (not a spam script), type the security text shown in the picture. Click here to regenerate some new text.
Click to hear an audio file of the anti-spam word